Commonwealth of Kentucky enacts data breach notification law

On the heels of the widely publicized Target breach, states continue to enact legislation designed to provide notice to their citizens when a security breach involving personal data occurs. Kentucky is the latest state to join the ranks of the other 46 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands that have security breach notification laws, leaving Alabama, New Mexico and South Dakota as the few jurisdictions without such protections in place.

On April 10, Governor Beshear signed into law H.B. 232, designed to address the compromise of personally identifiable information of residents of the Bluegrass State. The law also requires cloud service providers that contract with educational institutions (K-12) to maintain the security of student data (name, address, email address, emails, and any documents, photos or unique identifiers relating to the student) and prohibits the sale or disclosure, or processing of student data for commercial purposes.

Like most states, Kentucky has defined personally identifiable information as first name or first initial and last name combined with any of the following data elements when the name or data element is not redacted:

Social Security number

Driver’s license number

Account number, credit or debit card number in combination with any required security code, access code or password permitting access to an individual’s financial account

Persons or entities conducting business in Kentucky must disclose a “breach of the security of the system” to Kentucky residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Financial institutions subject to the Gramm-Leach-Bliley Act, covered entities and business associates subject to HIPAA, and Commonwealth agencies and local governments and political subdivisions are excluded from the notice requirements.

The Kentucky breach notification law applies only to an unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality or integrity of information maintained in a database that includes personal information on multiple individuals. The law incorporates a harm threshold by requiring notice only if the security breach actually causes or leads the information holder to reasonably believe has caused or will cause identify theft or fraud against the Kentucky resident who is the subject of the breach. The good faith acquisition by an employee or agent for the purposes of the information holder will not be considered a breach if the information is not used or subject to further unauthorized disclosure.

Residents must be notified in the most expedient time possible following discovery and without unreasonable delay, subject to law enforcement needs or measures necessary to determine the scope of the breach and restore data system integrity. If the person or entity does not own the computerized data, it must notify the database owner as soon as reasonably practicable.

If notice is timely, entities may follow their own notification procedures contained in an information security policy for personal information and be deemed to be in compliance with the new law. Otherwise, notice may be provided in writing or electronically consistent with the federal E-Sign Act. Substitute notice via a combination of email, website notice and major statewide media is permitted if the information holder does not have sufficient contact information or when the number of affected individuals exceeds 500,000 or the cost of notice would exceed $250,000. The new law contains no reporting requirement to the Attorney General or any other Commonwealth agency. When more than 1,000 individuals are affected at one time, all national consumer reporting agencies and credit bureaus must be notified.

The new law serves as a reminder for entities conducting business in Kentucky to manage the risk of breach and the subsequent notice by including the following in their security management program:

Either redact or do not maintain highly sensitive data elements in databases

Provide policies for the handling of personal information and for further restricting uses and disclosures that occur pursuant to a good faith acquisition of personal information by an employee or agent

Develop notification procedures or review existing notification procedures and follow them when the law’s notice requirement is triggered

Train workforce members on these policies and procedures

Address notification provisions and allocate risk appropriately in contracts with service providers who maintain databases that may contain personal information

Contributing Author

Amy S. Leopard

Amy S. Leopard is a partner in the Health Care Practice Group at Bradley Arant Boult Cummings LLP (Nashville, Tenn.) where she co-chairs the...